Cryptojacking is becoming more popular with threat actors, but experts are divided on whether the threat can overtake ransomware as the go-to way for criminals to make money.

Ransomware was found to be the top malware-based threat in the 2018 Verizon Data Breach Investigations Report (DBIR) because of its versatility and ability to make money without monetizing stolen data. Unlike ransomware, cryptojacking attacks don’t require any action by the victim and don’t necessarily require installing malware on a target system either. Simple cryptojacking schemes often involve users visiting websites that run JavaScript in the users’ browsers to mine cryptocurrency.

However, more advanced cryptojacking attacks involve gaining access to corporate networks and placing cryptomining software, such as Coinhive, on servers. The end result of both attack types is still criminals making money by skimming some processor cycles to mine coins quietly in the background.

Various security researchers have reported a rise in cryptojacking attacks over the last six months as the value of different cryptocurrencies have increased. But because of cryptojacking’s unique threat nature, Gabriel Bassett, co-author of the DBIR, said it was not included in the 2018 Verizon DBIR and it is unclear if next year’s Verizon DBIR will add cryptojacking attacks.

“Cryptomining would not be a breach. Based on our definition of an incident, it would need to compromise confidentiality, integrity or availability (for example by being installed on a device),” Bassett told SearchSecurity via email. “As such, we didn’t consider it a priority for the 2018 DBIR.”

Regardless of whether or not cryptojacking meets the definition of a “breach,” some experts said the threat will continue to rise. Richard Ford, chief scientist at Forcepoint, said threat actors will follow the money.

If the cryptocurrency prices remain high and it continues to be a lucrative way of translating cyber value into cash, the attacks there will grow.Richard Fordchief scientist, Forcepoint

“Criminals are many things, but they are not usually stupid when it comes to monetization. Thus, they will aim to optimize the return on investment they make on attacks, factoring in the challenges by getting caught etc.,” Ford told SearchSecurity. “If the cryptocurrency prices remain high and it continues to be a lucrative way of translating cyber value into cash, the attacks there will grow.”

Mayank Choudhary, vice president of products at ObserveIT, said beyond cryptojacking, there is a real threat of data breaches when cryptocurrency is involved.

“We see cryptomining as the latest trend among hackers, especially hackers driven by nation-states with financial, military, economic motivation,” Choudhary told SearchSecurity via email. “Banks/large financial services institutions and governments have started to trade in cryptocurrency. They now have privileged machines where cryptocurrency is stored and users access them for trading. A breach in this infrastructure could cripple the very foundations of the economic and financial institutions. More rewarding and more damaging, as compared to ransomware.”

Cryptocurrency uncertainty

Some experts said the ransomware threat will likely remain more attractive to malicious actors.

Andrew Avanessian, COO of Avecto, said the attractiveness of cryptojacking will “depend on what the future holds for cryptocurrency as it will likely be more regulated than it is today.”

“Banks are starting to get a grip on cryptocurrency and beginning to regulate it. If there are heavy regulations in place, cryptojacking will become less attractive. If banks decide not to regulate cryptocurrency heavily, it may grow in popularity,” Avanessian told SearchSecurity. “This is because with cryptojacking, criminals are not relying on a ransom, just mining their computer.”

James Plouffe, lead solutions architect at MobileIron, agreed that profit would be the deciding factor between ransomware and cryptojacking.

“I would expect the trend to continue toward ransomware attacks: Cryptocurrency mining will probably remain attractive, but cryptocurrencies have been volatile lately and mining is a slow process,” Plouffe told SearchSecurity. “Ransomware is effective, timely, and unfortunately — profitable.”

Bob Rudis, chief data scientist at Rapid7, said “criminals are fully capable of multi-tasking and with the proliferation of ransomware kits there’s no reason to believe ransomware will go away in 2018.”

“Cryptocurrency mining is active due to the still high valuation on many digital currencies and the relative ease of deploying and controlling miners,” Rudis told SearchSecurity via email. “If endpoint detection/protection capabilities increase (to find/remove/prevent miners) or the digital currency markets prove too volatile to rely on as a revenue source, attackers could easily switch back to ransomware attacks as a primary threat action.”

Paul Martini, CEO and co-founder of Iboss, said if cryptojacking does become more profitable, enterprise defenses will need to adjust.

“Over the past couple years hackers have seen success in ransomware, but as the popularity and value of cryptocurrencies continue to increase, organized attackers will shift their focus,” Martini told SearchSecurity. “From the defense side, organizations need to focus on preventing both attack vectors. Both involve malicious traffic coming in, but if they get past the perimeter defenses remediation is very different. Cryptomining is about identifying abnormal traffic patterns on your network, while ransomware is about preventing the spread to minimize the damage.”